Data-processing system and method for controlling same, computer program, and computer-readable recording medium

ABSTRACT

A data-processing system and method for controlling synthesizing digital-signature information. The system and method include holding first private-key information, inputting second private-key information, generating third private-key information based on the first private-key information and the second private-key information, holding the third private-key information, generating signature information based on information to be verified and the third private-key information, and outputting the information to be verified and the signature information.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a data-processing system and a methodfor controlling the data-processing system, and particularly relates toa technology for synthesizing digital-signature information.

2. Description of the Related Art

In recent years, digital cameras are rapidly becoming available. Imagesphotographed by the digital cameras are now used in many fields, sincethey can be stored and kept, as electronic image data. Therefore, unlikeknown silver-salt photographs, the user of the digital camera does nothave to develop and print an image photographed by the digital camera.Furthermore, the image is free from aging degradation, easy to beretrieved, and can be transmitted to a distant location via acommunication line, as the image data.

Among the above-described fields, there are the non-life-insuranceindustry, wherein an accident is assessed by using photographed imagesof the damage conditions of an automobile involved in an accident, theconstruction industry, wherein a construction site is photographed forconfirming the progress thereat, and wherein a building is photographedfor confirming the specification thereof, and so forth. Ministry ofLand, Infrastructure, and Transport (MLIT) of Japan has alreadypermitted to use an image photographed by the digital camera for makingthe record of a civil-engineering-work site.

However, since a photographed image taken by the digital camera can bechanged into digital data, the following problems have arisen. Namely,the photographed image can be easily changed and modified on a personalcomputer (PC) by using a commercially available photo-retouch tool,which is an application program. Since the digital data can be easilyprocessed and/or modified, the reliability of the image photographed bythe digital camera is considered to be lower than that of the image of asilver-salt photograph, particularly in the case where the image isused, as a photographic evidence of an accident, or attached to thereport of the accident.

Although the image of a silver-salt photograph can be changed, suchchange is hardly made, since the cost of making the change issignificantly higher than compensation obtained for the change, or theresult of the change is unnatural, which makes a silver-salt photographsuitable to be used, as evidence. Therefore, there is apprehension thatthe above-described defect of an image photographed by the digitalcamera would be a great problem for the non-life-insurance industry andthe construction industry in the future. Subsequently, a systemconfigured to solve the above-described problem has been demanded.

At present, a system for detecting a change in image data by usingdigital-signature data synthesized by an encryption technology isdisclosed in U.S. Pat. No. 5,499,294.

The above-described system includes an image-generation device (acamera) configured to synthesize image data and an image-verificationdevice configured to verify the integrity of the image data. In theimage-generation device, predetermined calculation is executed based onprivate information unique to the image-generation device and data on animage photographed and digitized by the image-generation device, wherebydigital-signature data (described later) which is information used foridentifying the image data (detecting a change in the image) issynthesized. Then, the digital-signature data and the data on the imagephotographed and digitized by the image-generation device are externallytransmitted from the image-generation device. The image-verificationdevice performs verification by comparing data obtained by executingpredetermined calculation to the image data to data obtained byexecuting the inverse of the calculation performed at the time where thedigital-signature data is synthesized to the digital-signature data.Further, in the case of U.S. Pat. No. 5,499,294, a hash function (acompression function) and a public-key cryptosystem are used, forsynthesizing the digital-signature data.

Here, a system configured to detect a change in an image by using adigital signature is considered, where the system is used for animage-synthesis unit such as a camera. The digital signature allowssynthesizing signature data by using a private key, as is the case withthe above-described known technology. The private key can be setaccording to the following two methods.

-   1. The user of the camera synthesizes the private key and sets it to    the camera.-   2. The manufacturer of the camera synthesizes the private key and    sets it to the camera.

Subsequently, the following problems arise.

-   1. Since the user knows the private key, and is the very person who    sets the private key, the image data can be changed only by the    user. Therefore, there is no guarantee that the image photographed    by the camera has not been changed, even though the above-described    known technology had already succeeded in offering the guarantee.-   2. If the manufacturer sets the private key, the user cannot know    the private key so that a high degree of security is achieved.    However, setting private keys to cameras so that each of the private    keys is unique to the camera corresponding thereto makes the steps    of manufacturing the camera complicated. Therefore, identical    private keys should be set for all of the cameras. In that case,    however, if the private key of one of the cameras is analyzed, the    private keys of the other cameras may be analyzed.

SUMMARY OF THE INVENTION

Accordingly, the present invention provides a technology that allowsreducing a load on a manufacturer and the leakage of a private key.Further, even though the private key is analyzed, the present inventionallows preventing other devices from being damaged by the analysis.

According to an aspect of the present invention, there is provided adata-processing device including a holding unit arranged to hold firstprivate-key information, an inputting unit arranged to input secondprivate-key information, a private-key-information generating unitarranged to generate third private-key information based on the firstprivate-key information and the second private-key information, and holdthe third private-key information, a signature-information generatingunit arranged to generate signature information based on information tobe verified and the third private-key information, an outputting unitarranged to output the information to be verified and the signatureinformation.

Further features of the present invention will become apparent from thefollowing detailed description of exemplary embodiments with referenceto the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example configuration of an image-verificationsystem according to an embodiment of the present invention.

FIG. 2 is a block diagram illustrating the configuration of animage-generation device according to the embodiment.

FIG. 3 shows the functional configuration of an image-verificationdevice according to the embodiment.

FIG. 4 shows the functional configuration of a registration authorityaccording to the embodiment.

FIG. 5 is a flowchart illustrating private-key distribution processingaccording to the embodiment.

FIG. 6 is a flowchart illustrating digital-signature synthesisprocessing performed by the image-generation device according to theembodiment.

FIG. 7 is a flowchart illustrating digital-signature verificationprocessing performed by the image-verification device according to theembodiment.

DESCRIPTION OF THE EMBODIMENTS

Hereinafter, embodiments of the present invention will be described indetail with reference to the attached drawings. Components disclosed inthe embodiments are provided by way of example. Subsequently, thecomponents impose no limit to the scope of the present invention.

First Embodiment

First, digital signature will be described in detail.

The digital signature denotes authentication technology. Namely, data(data to be verified) and the digital-signature data correspondingthereto are transmitted from the transmission side and the data forverification is verified on the reception side by using thedigital-signature data, whereby the validity of the data is confirmed.

Usually, a hash function and a public-key cryptosystem are used forconfirming the data validity, so as to synthesize the digital-signaturedata. Here, a private key of the public-key cryptosystem and a publickey are defined as Ks and Kp, respectively, which will be describedbelow.

On the transmission side, plain-text data (data to be verified) M iscompressed by using hash function Ho so that an output h of apredetermined length is calculated. Namely, the calculation H(M)=h isperformed. Next, the output h is converted by using the private key Ksso that the digital-signature data s is synthesized. Namely, thecalculation D(Ks, h)=s is performed. Then, the digital-signature data sand the plain-text data M are transmitted to the verification side.

On the verification side, the digital-signature data s is converted byusing the public key Kp. Namely, the calculation E (Kp, s)=E (Kp, D(Ks,h))=h″ is performed. Further, transmitted plain-text data M′ iscompressed by using the hash function that is the same as that on thetransmission side so that an output h′ is calculated. Namely,calculation H(M′)=h′ is performed. When the outputs h′ and h″ agree witheach other, it is determined that plain-text data M′ is valid (M′=M).

When the plain-text data M is changed between the transmission side andthe verification side, the output h″ obtained by the calculation E (Kp,s)=E (Kp, D(Ks, h″) does not agree with the output h′ obtained bycompressing the transmitted plain-text data M′ by using the hashfunction that is the same as that on the transmission side. Therefore,it is determined that the plain-text data M was changed. If thedigital-signature data s is changed according to the change in theplain-text data M, the change cannot be detected. For making theabove-described change, however, the plain-text data M has to beobtained according to the output h, which is impossible due to theone-wayness characteristic of the hash function.

Next, the hash function will be described. The hash function is used forincreasing the speed of synthesizing the above-described digitalsignature. The hash function has the function of processing theplain-text data M of an arbitrary length and synthesizing the output hof a predetermined length. Here, the output h is referred to as the hashvalue (or either message digest or digital fingerprint) of theplain-text data M. The hash function should be one-wayness andcollision-resistant. When the hash function is one-wayness, thecalculation of the plain-text data M becomes difficult to perform interms of the calculation amount, where the expression h=H (M) holds.Further, when the hash function is collision-resistant, and when theplain-text data M is known, the calculation of the plain-text data M′(M≠M′) becomes difficult to perform in terms of the calculation amount,where the equation H(M)=H(M′) holds. Further, the calculation of theplain-text data M and the plain-text data M′ become difficult to performin terms of the calculation amount, where the equations H(M)=H(M′) andM≠M′ hold.

Hash functions MD-2, MD-4, MD-5, SHA-1, RIPEMD-128, RIPEMD-160, and soforth are known and the algorithms thereof are on public view.

Next, the public-key cryptosystem will be described. The public-keycryptosystem is used for an encryption method wherein a code key (publickey) and a decode key (private key) are different from each other, andthe code key is on public view and the decode key is held in confidence.The public-key cryptosystem has the following characteristics.

(a) Since the code key is different from the decode key and the code keycan be on public, the code key may not be transmitted in secrecy, whichmakes it easy to perform key transmission.

(b) Since the code key of each user is on public, the user has tomemorize his/her own decode key only in secrecy.

(c) An authentication function that allows the reception side to confirmthat the transmission side from which a communication sentence wastransmitted is not spurious and the communication sentence is notchanged.

For example, when an operation for encrypting the plain-text data M byusing the public key Kp is determined to be E(Kp, M) and an operationfor decrypting the plain-text data M by using the private key Ks isdetermined to be D(Ks, M), the public-key cryptosystem algorithmsatisfies the following two conditions.

(1) When the public key Kp is known, the calculation E(Kp, M) can beeasily performed. When the private key Ks is known, the calculationD(Ks, M) can be easily performed.

(2) When the private key Ks is not known, it becomes difficult todetermine the plain-text data M in terms of the calculation amount, eventhough the steps of calculating the public key Kp and E( ), and C(=E(Kp,M)) are known.

Further, the following condition (3) is further set along with theabove-described conditions (1) and (2) so that private communicationscan be performed.

(3) E(Kp, M) can be defined for every plain-text data M so that theequation D(Ks, E(Kp, M))=M holds. That is to say, even though any onecan perform the calculation E(Kp, M), since the public key Kp is onpublic, only a user who owns the private Ks can obtain the plain-textdata M by performing the calculation D(Ks, E(Kp, M)). On the other hand,the following condition (4) is further set along with theabove-described conditions (1) and (2) so that authenticationcommunications can be performed.

(4) D(Ks, M) can be defined for every plain-text data M so that theequation E(Kp, E(Ks, M))=M holds. That is to say, only the user who ownsthe private key Ks can perform the calculation D(Ks, M). If anotherperson performs the calculation D(Ks′, M) by using a false private keyKs′ and disguises, as the user who owns the private key Ks, thecalculation result becomes E(Kp, D(Ks, M))≠M. Therefore, it is confirmedthat the transmitted information is invalid on the reception side.Further, if D(Ks, M) is changed, the calculation result becomes E(Kp,D(Ks, M)′)≠M, so that it is determined that the transmitted data isinvalid on the reception side.

Further, when the validity of the plain-text data M is confirmed, only aperson who owns the private key Ks can synthesize D(Ks, M).Subsequently, it is determined that the user who owns the private key Kssigned the plain-text data M.

RSA code, R code, and so forth are known, as examples that allowperforming the above-described private communications and authenticationcommunications.

Here, encryption and decoding of the RSA code, signature synthesis, andsignature verification that are most frequently used in these days areachieved by the following expressions.

-   Encryption: encryption key (e, n)-   Encryption conversion C=M^e (mod n)-   Decoding: decode key (d, n)-   Decode conversion: M=C^d (mod n)-   Signature synthesis: signature key (d, n)-   Signature synthesis: S=M^d (mod n)-   Signature verification: signature-verification key (e, n)-   Signature verification M=S^e (mod n)

Here, the equation n=p·q holds, where p and Q denote large prime numbersdifferent from each other. Further, e and d are integers fulfilling thefollowing equations.e·d=1 (mod L)L=LCM((p−1), (q−1))Here, LCM (a, b) denotes the lowest common multiple of a and b.

FIG. 1 shows the configuration of a system according to the firstembodiment. As shown in this drawing, the system includes animage-generation device 11 configured to synthesize image informationfor authentication and the digital-signature information thereof, aregistration authority 12 that can communicate with the image-generationdevice 11, and an image-verification device 13.

The image-generation device 11 has the function of setting a private keyfor synthesizing a digital signature, the function of synthesizing imagedata and photographing an image, the function of synthesizing thedigital signature corresponding to the synthesized image data, thefunction of synthesizing auxiliary parameters (where a camera is used,for example, photographing time, a focal length, an f number, the ISOsensitivity, metering mode, the image-file size, photographer'sinformation, and so forth), the function of synthesizing an image filewith the digital signature (including image data, the digital signature,an auxiliary parameter, and so forth), and the function of performingcommunications with the registration authority 12. Further, theimage-generation device 11 can be, but is not limited to, animage-pickup device such as a digital camera, a digital-video camera, ascanner, and so forth, and electronic equipment including a camera unit.Hereinafter, the image-generation device 11 is used for a digital-stillcamera for the sake of simplicity.

The registration authority 12 has the function of verifying a user, thefunction of synthesizing a private key unique to a valid user and apublic key that are paired off with each other according to a requesttransmitted from the valid user, the function of adding a public-keycertificate to the public key and transmitting the public key and thepublic-key certificate to the valid user, the function of informing andreleasing the public key of the registration authority 12. Further, inthe present embodiment, the registration authority 12 is provided, as apersonal computer (PC) that can perform communications via a network.The registration authority 12 is not limited to this implementation, andany entity that would enable practice of the present invention isapplicable.

The image-verification device 13 has the function of separating thedigital-signature-added image file, the function of verifying thedigital signature separated from the image data, and the function ofproducing a display image of the verification result. Further, theimage-verification device 13 can be, but is not limited to, a web serverconfigured to store data, a PC configured to distribute the data, or asmall apparatus including a CPU, a memory, and so forth. Hereinafter,the image-verification device 13 will be described, as the PC for thesake of simplicity.

FIG. 2 is a block diagram showing the configuration of theimage-generation device 11 according to the first embodiment. In thisdrawing, an image-pickup unit 25 includes an optical lens and animage-pickup element, and a key-hold unit 21 includes a writablenonvolatile memory. A calculation unit 23 performs predeterminedcalculation according to a request transmitted from a control unit 24,which is configured to control the entire system, and an image-filegeneration unit 26 synthesizes an image file in a predetermined formatbased on a picked-up image and writes the image file into a removablememory card (not shown). An operation unit 22 includes a display unit (aliquid-crystal display or the like) configured to confirm the picked-upimage and produce display images of various menus, switches, andbuttons. The operation unit 22 functions as an interface between thesystem and a user. Further, a hash-generation unit 27, configured tocalculate a hash value, and a digital-signature generation unit 28 areprovided.

FIG. 3 is a block diagram illustrating the functions of theimage-verification device 13 according to the first embodiment. Asdescribed above, the image-verification device 13 is formed, as a PC.Since the configuration of a PC is not pertinent to the practice of thepresent invention, FIG. 3 only shows an example where a programconfigured to function as a verification device is executed. Namely,each of the function units shown in FIG. 3 is formed as a CPU and aprogram configured to perform the processing of the CPU.

FIG. 3 shows an image-file separation unit 62 configured to separateimage data and signature data from an image file, a hash-generation unit63, and a display unit 65 configured to produce a display image of averification result (e.g., whether or not data is changed). FIG. 3further includes an input unit 61 configured to transmit an image filefor verification, where the input unit 61 functions as a network I/Fwhen the image file is transmitted via a network or the like, and a cardreader (not shown) for reading the image file from a recording mediumsuch as a memory card. The drawing further includes a control unit 66configured to control the entire system, a signature-verification unit64, and a judgement unit 67.

FIG. 4 is a functional block diagram showing the configuration of aregistration authority 12 according to the first embodiment. FIG. 4includes a communication unit 71 connected to the Internet forcommunicating with the PC of the user who owns the image-generationdevice 11, a key-data generation unit 72 configured to synthesize keyinformation and a public-key certificate P that will be described later,a database 73 configured to store private keys d, described in moredetail below, stored and held in the image-generation devices 11 by themanufacturer of each of the image-generation devices 11 and to storedata used for making a validity check of a user when the user tries toaccess the registration authority 12. FIG. 4 further includes a controlunit 74 configured to control the entire registration authority 12.

In the above-described system, processing for distributing adigital-signature private key to each of users is described according tothe flowchart of FIG. 5. Here, the image-generation device 11 has thetechnique of performing safe communications with the registrationauthority 12. For example, an encryption-communication software programis provided as a bundled software program of the image-generation device11, and a password is added to each of the image-generation devices 11,where the password is unique to the image-generation device 11. Further,the image-generation device 11 holds predetermined private information din the key-hold unit 21 (e.g., a writable nonvolatile memory) installedduring the manufacturing procedures. The private information d is commonto all of the image-generation devices 11 provided by theimage-generation device's manufacturer. The registration authority 12also holds the private information d in the database 73 so that the userof the image-generation device 11 is not informed of the existence ofthe private information d.

In the present invention, each of the private information d andspecifiers ei, di, and Ni indicates a numerical value that is set as anumerical value having a predetermined bit length.

Turning to FIG. 5, in step S31, a user installs the bundled softwareonto the user's PC, provides a safe communication path between the PCand the registration authority 12, and provides the passwordcorresponding to the ID of the image-generation device 11 to theregistration authority 12. Next, in step S32, the registration authority12 stores a list of correspondence between the IDs of theimage-generation devices 11 and the passwords in the database 73 andconfirms the validity of the password. If it is determined that thepassword is not valid, the registration authority 12 stops theprocessing. Otherwise, flow proceeds to step S33, where the registrationauthority 12 controls the key-data generation unit 72 so that user “i”synthesizes a private key di, public keys ei and Ni, and the public-keycertificate P satisfying the relationship between equations (1) and (2):di×d×ei=1modΦ(Ni)  Equation (1)Φ(Ni)=LCM((p−1)(q−1))  Equation (2)Here, p and q denote prime numbers. Further, the public-key certificateP certifies the validity of a user's public key. Here, the keycertificate P is signed by using the private key of the registrationauthority 12.

Then, in step S34, the private key di, the public keys ei and Ni, andthe public-key certificate P are transmitted to the user through thesafe communication path. The above-described information itemstransmitted to the image-generation devices 11 that are of the same typeand that are provided by the same manufacturer are different from eachother. Subsequently, the private key di, the public keys ei and Ni, andthe public-key certificate P are synthesized so that the relationshipbetween the equations (1) and (2) are satisfied. Further, the privatekey di, the public keys ei and Ni, and the public-key certificate P aresynthesized based on, but not limited to, random numbers, the name andaddress of the user, a password used by the user for making applicationto the registration authority 12, and so forth.

Upon receiving the various information items transmitted from theregistration authority 12 in the above-described manner, an applicationprogram installed on the user's PC produces a display image of theinformation items that are shown based on the hexadecimal system,whereby a message including a message prompting the user to set thetransmitted information to the image-generation device 11.

In step S35, the user sets the private keys di, the public keys ei, andthe public-key certificate P to the key-hold unit 21 by operating theoperation unit 22 shown in FIG. 2. As a result, the control unit 24performs the calculation ddi=d×di at the calculation unit 23 by usingthe private key d that is stored in the key-hold unit 21 and that is notreleased to the user, and the transmitted private key di. Then, in stepS36, the control unit 24 stores the calculation result in the key-holdunit 22.

The key-hold unit 21 is provided as a memory from which no data can beread and transmitted to any external unit except the calculation unit 23and the digital-signature generation unit 30, so as to prevent leakageof the key-information. The calculation unit 23 includes at least a CPU,a RAM, a ROM, a special-purpose IC chip, and performs predeterminedcalculations.

Next, normal image-pickup processing performed by the image-generationdevice 11 according to the first embodiment will be described. Here, theimage-generation device 11 is used for a camera, so that AF processingprocedures and AE processing procedures are performed. Since the AF andAE processing procedures have no direct bearing on the presentinvention, the details thereof will not be described. However,processing procedures performed after a shutter button of the operationunit 22 is pressed will be described according to a flowchart shown inFIG. 6.

First, in step S41, the operation unit 22 is operated so that theimage-pickup unit 25 synthesizes picked-up image data D. Then, in stepS42, the image-file generation unit 26 converts the picked-up image dataD into a file compressed and encoded by compression-and-encodingprocessing based on the known JPEG standards.

Flow then proceeds to step S43, the data on the compressed image file istransmitted to the hash generation unit 27 so that the hash value h isgenerated and the digital-signature generation unit 28 performscalculation by using the private key ddi stored in the key-hold unit 21and synthesizes the digital signature s. Next, in step S44, the controlunit 24 inserts the synthesized digital signature S, the public keys eiand the public-key certificate P into a predetermined area (e.g., theheader portion) of the image file synthesized by the image-filegeneration unit 26 and stores the image file in a memory card (notshown). That is to say, at step S44, an image D, a digital signature S,the public keys ei, and the public-key certificate P are generated as asingle file.

Here, the image-pickup unit 25 includes an optical sensor such as acharge-coupled device (CCD) and synthesizes the image data and auxiliaryparameters of an object according to an instruction transmitted to theoperation unit 22. Further, the image file synthesized by the image-filegeneration unit 26 may be based on any one of the JPEG file interchangeformat (JFIF), the tagged image file format (TIFF), graphics interchangeformat (GIF), formats obtained by expanding the above-described formats,or other image-file formats. Further, generally known hash functionssuch as MD5, SHA1, RIPEMD, and so forth are used as the hash function Hemployed by the hash-generation unit 27. The digital-signaturegeneration unit 28 includes a CPU configured to performsignature-synthesis processing by using the above-described RSA code anda memory including a RAM, a ROM, and so forth configured to store keyinformation required by the CPU. The control unit 24 controls theabove-described processing procedures.

Next, digital-signature verification performed by the image-verificationdevice 13 will be described according to the flowchart shown in FIG. 7.

FIG. 1 shows a bi-directional arrow extending from the image-generationdevice 11 to the image-verification device 13, which indicates that animage file is transmitted therebetween via communications and/or arecording medium.

Turning to FIG. 7, first, in step S51, an image file including an imageD, a digital signature, the public keys ei and the public-keycertificate P is read from the input unit 61. Then, in step S52, theimage-file separation unit 62 separates the image D, the digitalsignature, the public keys ei and the public-key certificate P from theread image file.

Next, in step S53, the hash-generation unit 63 synthesizes the hashvalue H from the image D.

Flow then proceeds to step S54, where the image-verification device 13tests the separated public-key certificate P by using a public keyreleased by the registration authority 12 in the signature-verificationunit 64.

If the verification result is not correct, the display image of amessage or the like indicating that the public-key certificate P failedthe verification is produced, whereby the digital-signature verificationis terminated.

If the verification result is correct, flow proceeds to step S55, wherethe separated digital signature S is decoded by thesignature-verification unit 64 by using the public key ei. Then, in stepS56, the hash value H calculated at step S53 is compared to a value Mdecoded at step S55 by the judgement unit 66. When the hash value Hagrees with the value M, flow proceeds to step S57, where it isdetermined that there is no change. Otherwise, flow proceeds to stepS58, where it is determined that there is a change. Finally, in stepS59, a display image of the judgement result is produced on the displayunit 65 such as a monitor. For example, when the judgement unit 66determines that there is no change, a display image “not changed” isproduced, and when the judgement unit 66 determines that there is achange, a display image “changed” is produced.

Thus, according to the first embodiment, when the user of theimage-generation device 11 transmits a registration request to theregistration authority 12, the private key di unique to the user and thepublic keys ei and Ni, and the public-key certificate P are transmittedand the result is set to the image-generation device 11. At that time,the user is informed of the private key di. The control unit 24 of theimage-generation device 11 synthesizes the private key ddi according tothe private keys d and di prepared by the manufacturer in advance sothat the private key ddi is used for synthesizing a digital signature.Therefore, only the registration authority 12 knows the private key ddi.

If a third party having the image-generation device 11 whose model andmanufacturer are the same as those of the above-describedimage-generation device 11 transmits a registration request to theregistration authority 12, a private key dj, public keys ej and Nj, andthe public-key certificate P are transmitted to the third party. Theprivate key synthesized by the image-generation device 11 is indicatedby the specifier ddj so that the private keys ddi and di are kept asecret.

The first embodiment of the present invention allows reducing a load ona manufacturer and the leakage of a private key. Further, even thoughthe private key is analyzed, the first embodiment allows preventingother devices from being affected by the analysis.

Other Embodiments

Other embodiments will be described below. According to the firstembodiment, the digital signature is synthesized only for the image dataon an object. However, digital-signature data can be synthesized forinformation, e.g., metadata of the image data, such as the auxiliaryparameters including the photographing time, the focal length, the fnumber, the ISO sensitivity, the metering mode, the image-file size, thephotographer's information, and so forth. In that case, thedigital-signature data can also be synthesized by the same mechanism asis the case with the image data and the digital-signature verificationcan also be performed for the auxiliary parameters.

Since each of the image data and the metadata is binary data, thedigital-signature verification can be achieved by replacing the imagedata with the metadata. That is to say, the digital-signatureverification can be achieved by transmitting the metadata to thehash-generation unit 27 in place of the image data. This data change isachieved by the control unit 24. Therefore, the image D described inFIGS. 6 and 7 should be replaced with the auxiliary parameters.Subsequently, it becomes possible to detect not only changes in theimage data, but also those in the metadata on an image.

In the first embodiment, the public-key certificate P is issued by theregistration authority 12 for the sake of simplicity. However, acertificate authority established based on the widely known public-keyinfrastructure (PKI) may issue the public-key certificate P.

Further, according to the first embodiment, the private key di, thepublic key ei, and the public-key certificate P are set to the key-holdunit 21, at step S35. However, in another embodiment, only the privatekey di is set to the key-hold unit 21. In that case, the generateddigital signature S is inserted into the predetermined area of thegenerated image file so that the image file including the image D andthe digital signature S is generated, at step S44.

Further, according to the first embodiment, the image file including theimage D, the digital signature, the public key ei, and the public-keycertificate P is read, at step S51. However, it may be arranged that theimage file including the image D and the digital signature S be read. Inthat case, the public-key certificate P tested at step S54 and thepublic key ei used at step S56 may be acquired from an external device(the certificate authority, the registration authority, and so forth).Further, where the image file including the image D and the digitalsignature S is read, at step S51, the image file is divided into theimage D and the digital signature S, at step S52.

Thus, the embodiments of the present invention have been described. Inthe first and other embodiments, the image-generation device 11 (adigital-still camera) has been described as a device configured tosynthesize information for verification. However, the present inventionis not used only for the above-described device. Namely, the presentinvention can be used for any device configured to synthesizedigital-signature data by using the above-described private key ddi,when data for verification is synthesized, or when the devicesynthesizes the data for verification.

An example of the above-described device will be described below.

A memory card is prepared as a USB device storing the private key d. Theprivate key d stored in the memory card is set by the manufacturer ofthe device so that the user cannot access the private key d.

Then, when a document is generated by the PC, an application program forsynthesizing the digital signature S is started. The application programsynthesizes the private key ddi by using the private key d and theprivate key di transmitted from the registration authority 12, andsynthesizes signature data on the document file and a single file.

Further, the above-described embodiments have been described based onthe premise that the user of the image-generation device 11 has a PC.However, when the image-generation device 11 has a network-connectionfunction, the present invention is not limited to the above-describedembodiments. For example, a mobile phone or the like can be used foracquiring key information or the like.

Thus, even though hardware including a memory card or the like isrequired, the present invention can be used for an application programrunning on a PC. Usually, the application program is stored in acomputer-readable recording medium such as a CD-ROM, set to a computer,and copied and installed onto a system, so as to be executable.Therefore, the above-described computer-readable recording medium is inthe scope of the present invention.

In other words, the foregoing description of the embodiments has beengiven for illustrative purposes only and not to be construed as imposinglimitation in every respect.

The scope of the invention is, therefore, to be determined solely by thefollowing claims and not limited by the text of the specifications andalterations made within a scope equivalent to the scope of the claimsfall within the true spirit and scope of the invention.

This application claims the benefit of Japanese Application No.2004-244129 filed Aug. 24, 2004, which is hereby incorporated byreference herein in its entirety.

1. A data-processing device comprising: a holding unit arranged to holdfirst private-key information; an inputting unit arranged to inputsecond private-key information; a private-key-information generatingunit arranged to generate third private-key information based on thefirst private-key information and the second private-key information,and store the third private-key information; a signature-informationgenerating unit arranged to generate signature information based oninformation to be verified and the third private-key information; anoutputting unit arranged to output the information to be verified andthe signature information; a database arranged to hold the firstprivate-key information held in the hold unit provided in thedata-processing device for registration; a unit arranged to acquire thefirst private-key information for the data-processing device forregistration by referring to the database, where a registration requestis transmitted via a network, generate the second private-keyinformation according to a predetermined algorithm, and generatepublic-key information that corresponds to the third private-keyinformation generated based on the first private-key information and thesecond private-key information; and a transmission unit arranged totransmit the generated second private-key information and public-keyinformation to a request source.
 2. A data-processing device accordingto claim 1, wherein the inputting unit inputs public-key information forverifying whether or not the information to be verified is changed,where the third private-key information is the private key informationof the public-key information.
 3. A data-processing device according toclaim 2, wherein the inputting unit further inputs certificateinformation used for authenticating the public-key information.
 4. Adata-processing device according to claim 3, wherein the outputting unitoutputs the information to be verified, the signature information, thepublic-key information and the certificate information as a single file.5. A data-processing device according to claim 1, further comprising agenerating unit for generating the information to be verified.
 6. Adata-processing device according to claim 1, further comprising animage-pickup unit, wherein data on a predetermined image picked up bythe image-pickup unit is generated as the information to be verified. 7.A data-processing device according to claim 1, wherein the secondprivate-key information is key information that varies from one user toanother.
 8. A data-processing device according to claim 7, wherein thefirst private-key information is not open to any of the users.